ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
5.06k stars 737 forks source link

A question about GetAsyncKeystate #227

Closed unemknip closed 1 year ago

unemknip commented 1 year ago

Hello! I saw this thread (https://github.com/ufrisk/pcileech/issues/225) and I became interested in this question, perhaps I should have asked it in the thread but I did not really want to interrupt the author, so I decided to create a separate thread as I think that the question is common, but I somehow did not see anywhere else answer.

As I already understood in my personal practice it's impossible to capture GetAsyncKeyState, and I also understand that PCILEECH doesn't have any function that replaces this one, could you please tell me about it in more detail? Or maybe there was already an example, but I missed it, my logic probably works on the principle that we should take some Windows module and read this function from it ? To be honest I didn't really went deep and didn't even look in which module this function is, just maybe you already have a better solution in the library for this, and for example I don't need to read a bunch of information manually if for example I need several functions instead of one.

Thank you for your reply

ufrisk commented 1 year ago

As far as I know it's always been possible to read the kernel buffer for it. It's in session kernel space though so not in PID4. But read it from the correct csrss.exe process (which I've included kernel memory in for convenience) or mask PID with 0x80000000 on some other process (for example winlogon.exe seems to be popular amongst others. It used to be win32kbase.sys!gafAsyncKeyState. This have changed in Win11 22H2 though as per the thread you quoted.

For more details how to parse that buffer it's probably better to ask around on other forums though, but yes it should be possible using PCILeech/MemProcFS.